anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.83k stars 573 forks source link

Grype does not detect vulnerable Micronaut CVE-2024-23639 #1730

Open Atharex opened 8 months ago

Atharex commented 8 months ago

What happened: Grype/Syft do not detect CVE-2024-23639 a vulnerability of the Micronaut framework for Java/Kotlin

What you expected to happen: The Micronaut component to be listed by Syft and recognized as vulnerable by Grype for CVE-2024-23639

How to reproduce it (as minimally and precisely as possible): You could probably test it on any old publicly accessible image with micronaut Example: grype schnatterer/micronaut-getting-started:latest

Anything else we need to know?:

Environment:

willmurphyscode commented 8 months ago

Hi @Atharex thanks for the report! I've reproduced the issue and will move it to our backlog. Details below.

I think there are two things going on here:

syft -q schnatterer/micronaut-getting-started:latest | grep micro
micronaut-getting-started  0.1           java-archive

So Syft doesn't find an instance of a vulnerable jar in the image. Do you know for sure the image has a vulnerable jar in it?

However, to check whether Grype is working as expected here, I downloaded the jar directly

wget https://repo1.maven.org/maven2/io/micronaut/micronaut-http-server/3.8.2/micronaut-http-server-3.8.2.jar
syft -q -o json micronaut-http-server-3.8.2.jar| jq '.artifacts[] | { name: .name, purl: .purl }'

Which prints:

{
  "name": "micronaut-http-server",
  "purl": "pkg:maven/io.micronaut.http_server/micronaut-http-server@3.8.2"
}

I think the issue here is that we think the group id is io.micronaut.http_server, but according to https://mvnrepository.com/artifact/io.micronaut/micronaut-http-server/3.8.2, it should be just io.micronaut.

If I write out an SBOM, and edit it so that the PURL on this package has the correct group ID (pkg:maven/io.micronaut/micronaut-http-server@3.8.2), then grype reports the CVE correct.

Dev notes: Syft reporting wrong group ID for JARs like this one: https://mvnrepository.com/artifact/io.micronaut/micronaut-http-server/3.8.2